Re: [klibc] process '/usr/bin/rsync' started with executable stack

From: Christophe Leroy
Date: Fri Jun 26 2020 - 00:44:29 EST




Le 25/06/2020 Ã 22:20, Kees Cook a ÃcritÂ:
On Thu, Jun 25, 2020 at 01:04:29PM +0300, Dan Carpenter wrote:
On Wed, Jun 24, 2020 at 12:39:24PM -0700, Kees Cook wrote:
On Wed, Jun 24, 2020 at 07:51:48PM +0300, Dan Carpenter wrote:
In Debian testing the initrd triggers the warning.

[ 34.529809] process '/usr/bin/fstype' started with executable stack

Where does fstype come from there? I am going to guess it is either
busybox or linked against klibc?

klibc has known problems with executable stacks due to its trampoline
implementation:
https://wiki.ubuntu.com/SecurityTeam/Roadmap/ExecutableStacks

Yeah. It comes from klibc-utils.

This is exactly what I was worried about back in Feb:
https://lore.kernel.org/lkml/202002251341.48BC06E@keescook/

This warning, combined with klibc-based initrds, makes the whole thing
pointless because it will always warn once on boot for the klibc stack,
and then not warn about anything else after that.

It looks like upstream klibc hasn't been touched in about 4 years, and
it's been up to Ben to keep it alive in Debian.

A couple ideas, in order of my preference:

1) stop using klibc-utils[1]. initramfs-tools-core is the only thing with a
dependency on klibc-utils. Only a few things are missing from busybox.

Does busybox cleanly build with klibc lib ?
If it does, is the result as small ?


2) make the warning rate-limited instead?

3) fix the use of trampolines in klibc

That's done, see https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9d8d648e604026b32cad00a84ed6c29cbd157641

Discussed here https://lists.zytor.com/archives/klibc/2020-February/004271.html

Christophe


Thoughts?

-Kees


[1] Ben appears well aware of this idea, as he suggested it in 2018. :)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887159